[keycloak-dev] Groups design
Stian Thorgersen
stian at redhat.com
Thu Aug 20 02:49:50 EDT 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 20 August, 2015 3:53:28 AM
> Subject: Re: [keycloak-dev] Groups design
>
>
>
> On 8/19/2015 3:17 AM, Stian Thorgersen wrote:
> >>> Have the concept of Role Groups:
> >>> * Role Groups are just a namespace for roles.
> >
> > Just to double check as part of this we're removing the concept of realm
> > and client roles, and we're also adding some ability of defining what
> > roles are listed in adapters (so we can have plain role names, like
> > 'user', in jee apps for example)
> >
>
> Yes. We'll have a flat user role mapping in the token
>
> roles: [ "role1", "role2" ]
>
> You'll either manipulate how roles look in the token via a mapper, or
> you'll define a role mapping within the adapter config. Default role
> mapper on server will specify a URI for the role. BTW, this URI
> probably shouldn't have a DNS name within it. Something like
> role:{realm-name}.{group}.{role-name}. This is so that adapter config
> doesn't have to be changed as it moves from dev->QE->production. BTW,
> this is why I hate the OIDC requirement that the realm is some http://
> based URI.
Do we need real-name? Seems like that'll only make it hard to use.
I like OIDC requirement that it's URL based - a realm is not a unique name, but a URL is and I think it should be unique
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list